Conti ransomware brand is dead, but gang restructures: Report

The Conti ransomware gang’s brand is dead. That’s the conclusion of researchers at Advanced Intelligence.

Its infrastructure related to negotiations, data uploads, and hosting of stolen data has been shut down.

However, before you start celebrating, the researchers say the gang has dispersed and is operating under a number of smaller brands.

This is part of a calculated scheme that started two months ago when the gang expressed support for Russia’s invasion of Ukraine. That, the researchers argue, made the Conti brand toxic to cyber intelligence agencies and organizations the gang hit. Since then almost no ransom payments have been made to the group. Its locker code became highly detectable by IT defenders and was rarely deployed.

The AdvIntel researchers argue that Conti’s backing of Russia violated an unwritten rule of threat actors: Don’t get involved in politics. One gang member allegedly was so angered that they leaked private Conti chat messages.

And it didn’t help that on May 6th, the U.S. offered rewards of up to US$10 million for information leading to the takedown of the Conti group. The highly-publicized attack on government agencies of Costa Rica was a diversion while it restructured, say AdvIntel researchers.

What next? Conti is adopting a network organizational structure, says AdvIntel, one that is more horizontal and decentralized than its previously rigid hierarchy. “This structure will be a coalition of several equal subdivisions, some of which will be independent, and some existing within another ransomware collective. However, they will all be united by internal loyalty to both each other and the Conti leadership.”

Type 1. Fully autonomous partners: These are pure data-stealing groups. They include the Karakurt, BlackBasta and BlackByte gangs. For a backgrounder on the BlackByte gang see this analysis by Cisco Systems;

Type 2: Semi-autonomous partners: These act as Conti-loyal collective affiliates within other collectives in order to use their ransomware locker: These include the AlphV/BlackCat, Hive, HelloKitty/FiveHands and AvoisLocker gangs;

Type 3:Independent affiliates: These are individuals who may do the actual initial hack of an organization but are loyal to Conti;

Type 4: Mergers & Acquisitions: These are small threat actor groups the Conti leadership infiltrates and consumes entirely, keeping the small brand’s name. The small group’s leader loses independence, but receives a massive influx of manpower, while Conti gets a new subsidiary group.

This structure is different from the Ransomware-as-a-Service model, says AdvIntel, since this network does not seem to be accepting new members. Moreover, the researchers say, unlike RaaS, this model seems to value operations being executed in an organized, team-led manner. Finally, all the members know each other very well personally and are able to leverage these personal connections and the loyalty that comes with them.

What does this mean for IT defenders? Not much. It’s still vital to perform cybersecurity basics to protect against any cyber attack:

  • inventory and triage hardware and software so vital devices and applications can be patched as soon as security updates are available;
  • have all staff enrolled in multifactor authentication as an extra step to protect logins; ensure staff and partners only have access to data and systems they need;
  • segment data and networks;
  • encrypt sensitive data at rest and in transit; have one copy of backup data saved offline and off-site;
  • test backup and recovery procedures to make sure they work and staff know what to do;
  • have an incident response plan that is regularly tested.

For more advice see the reports of the Ransomware Task Force, the Canadian Centre for Cyber Security’s ransomware resource pages and the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Stop Ransomware web site.

Meanwhile, the CISA announced Friday it plans to soon convene a Joint Ransomware Task Force as mandated under a recently-passed federal law. It would be co-chaired by the CISA and the FBI. When fully implemented, the legislation will require critical infrastructure companies to report to the federal government any substantial cybersecurity incidents within 72 hours or ransom payments within 24 hours.

The U.S. Justice Department also said it will increase work to crack down on illegal cryptocurrency transactions and work closer with other countries to prosecute threat actors.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now